Cybersecurity experts have discovered a previously unknown attack campaign that involves compromised routers. The campaign, known as 'Hiatus,' is complex and targets business-grade routers. It deploys two compromised binaries, including a Remote Access Trojan (RAT) called 'HiatusRAT' and a variant of tcpdump that can carry out packet capture on the target device. Details about the threatening campaign and the involved malware were released in a report from a security researcher
Once the targeted systems are infected, the HiatusRAT allows the threat actor to interact remotely with the devices. It uses prebuilt functionality that is highly unusual to convert the compromised machines into a covert proxy for the threat actor. The packet-capture binary allows the threat actors to monitor router traffic on ports associated with email and file-transfer communications, effectively giving them the ability to steal confidential information.
The Attackers Target End-of-Life Business Routers
The campaign known as Hiatus targets end-of-life DrayTek Vigor models 2960 and 3900, which operate on an i386 architecture. However, infosec researchers have also observed prebuilt binaries that also target MIPS, i386, and ARM-based architectures. These routers are typically used by medium-sized businesses and can support VPN connections for hundreds of remote workers.
It is suspected that the threat actors behind the campaign infect targets of interest to collect data while also targeting opportunities to establish a covert proxy network. The campaign consists of three main components: a bash script deployed post-exploitation, two executables retrieved by the bash script - HiatusRAT and a variant of tcpdump that enables packet capture.
Upon analysis, it was found that HiatusRAT serves two primary purposes. Firstly, it allows the actor to interact remotely with the affected device, enabling them to download files or run arbitrary commands. Secondly, it can operate as a SOCKS5 proxy device on the router. This is likely used to facilitate proxying Command-and-Control (C2, C&C) traffic through the router in order to obfuscate it from an additional agent elsewhere.
The Threatening Capabilities Found in HiatusRAT
The attack begins with the deployment of a bash script that downloads and executes the RAT malware, allowing it to collect the system, network, file system, and process data from the compromised router.
HiatusRAT also establishes communication with a Command-and-Control server every 8 hours and, if successful, gives the attackers remote access to supervise the infected device. Reverse engineering analysis revealed several extremely dangerous features of the malware, including spawning remote shells on infected devices, reading/deleting/exfiltrating files to the C2 server, fetching and executing files from the C2 server, executing scripts from the C2 server, transmitting TCP data sets to forwarding locations through SOCKS v5 proxies set up on breached routers. If the attackers decide to do so, they can instruct the threat to terminate itself.
Additionally, the attackers use SOCKS v5 proxies to move data from other breached devices through the infected router. This helps obscure network data and imitate legitimate actions. Organizations should be aware of this threat and take measures to secure their networks against such attacks.